[git] GnuPG - branch, STABLE-BRANCH-2-2, updated. gnupg-2.2.5-37-g8203803
by NIIBE Yutaka
cvs at cvs.gnupg.org
Fri Mar 30 04:02:14 CEST 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, STABLE-BRANCH-2-2 has been updated
via 820380335a20391e0998fb1ba32ebfb9accedc5b (commit)
via 29692718768c28c524be6306081ab1852e75fe07 (commit)
from a1515b3bbc10a210040dda3b482bcdb933fa8d7c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 820380335a20391e0998fb1ba32ebfb9accedc5b
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Fri Mar 30 10:59:10 2018 +0900
g10: Add "key-attr" command for --card-edit.
* g10/card-util.c (key_attr): New explicit command.
(generate_card_keys, card_generate_subkey): Don't ask key attr change.
(card_edit): Add for cmdKEYATTR.
--
GnuPG-bug-id: 3781
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/g10/card-util.c b/g10/card-util.c
index 263ab4e..055c9fb 100644
--- a/g10/card-util.c
+++ b/g10/card-util.c
@@ -1435,7 +1435,7 @@ ask_card_keyattr (int keyno, const struct key_attr *current)
}
if (algo == 0)
- got leave;
+ goto leave;
key_attr = xmalloc (sizeof (struct key_attr));
@@ -1541,12 +1541,56 @@ do_change_keyattr (int keyno, const struct key_attr *key_attr)
static void
+key_attr (void)
+{
+ struct agent_card_info_s info;
+ gpg_error_t err;
+ int keyno;
+
+ err = get_info_for_key_operation (&info);
+ if (err)
+ {
+ log_error (_("error getting card info: %s\n"), gpg_strerror (err));
+ return;
+ }
+
+ if (!(info.is_v2 && info.extcap.aac))
+ {
+ log_error (_("This command is not supported by this card\n"));
+ goto leave;
+ }
+
+ for (keyno = 0; keyno < DIM (info.key_attr); keyno++)
+ {
+ struct key_attr *key_attr;
+
+ if ((key_attr = ask_card_keyattr (keyno, &info.key_attr[keyno])))
+ {
+ err = do_change_keyattr (keyno, key_attr);
+ xfree (key_attr);
+ if (err)
+ {
+ /* Error: Better read the default key attribute again. */
+ agent_release_card_info (&info);
+ if (get_info_for_key_operation (&info))
+ goto leave;
+ /* Ask again for this key. */
+ keyno--;
+ }
+ }
+ }
+
+ leave:
+ agent_release_card_info (&info);
+}
+
+
+static void
generate_card_keys (ctrl_t ctrl)
{
struct agent_card_info_s info;
int forced_chv1;
int want_backup;
- int keyno;
if (get_info_for_key_operation (&info))
return;
@@ -1594,32 +1638,6 @@ generate_card_keys (ctrl_t ctrl)
tty_printf ("\n");
}
- /* If the cards features changeable key attributes, we ask for the
- key size. */
- if (info.is_v2 && info.extcap.aac)
- {
- for (keyno = 0; keyno < DIM (info.key_attr); keyno++)
- {
- struct key_attr *key_attr;
-
- if ((key_attr = ask_card_keyattr (keyno, &info.key_attr[keyno])))
- {
- gpg_error_t err = do_change_keyattr (keyno, key_attr);
- xfree (key_attr);
- if (err)
- {
- /* Error: Better read the default key attribute again. */
- agent_release_card_info (&info);
- if (get_info_for_key_operation (&info))
- goto leave;
- /* Ask again for this key. */
- keyno--;
- }
- }
- }
- /* Note that INFO has not be synced. However we will only use
- the serialnumber and thus it won't harm. */
- }
if (check_pin_for_key_operation (&info, &forced_chv1))
goto leave;
@@ -1678,31 +1696,6 @@ card_generate_subkey (ctrl_t ctrl, kbnode_t pub_keyblock)
goto leave;
}
- /* If the cards features changeable key attributes, we ask for the
- key size. */
- if (info.is_v2 && info.extcap.aac)
- {
- struct key_attr *key_attr;
-
- ask_again:
- if ((key_attr = ask_card_keyattr (keyno-1, &info.key_attr[keyno-1])))
- {
- err = do_change_keyattr (keyno-1, key_attr);
- xfree (key_attr);
- if (err)
- {
- /* Error: Better read the default key attribute again. */
- agent_release_card_info (&info);
- err = get_info_for_key_operation (&info);
- if (err)
- goto leave;
- goto ask_again;
- }
- }
- /* Note that INFO has not be synced. However we will only use
- the serialnumber and thus it won't harm. */
- }
-
err = check_pin_for_key_operation (&info, &forced_chv1);
if (err)
goto leave;
@@ -2091,6 +2084,7 @@ enum cmdids
cmdNAME, cmdURL, cmdFETCH, cmdLOGIN, cmdLANG, cmdSEX, cmdCAFPR,
cmdFORCESIG, cmdGENERATE, cmdPASSWD, cmdPRIVATEDO, cmdWRITECERT,
cmdREADCERT, cmdUNBLOCK, cmdFACTORYRESET, cmdKDFSETUP,
+ cmdKEYATTR,
cmdINVCMD
};
@@ -2124,6 +2118,7 @@ static struct
{ "unblock" , cmdUNBLOCK,0, N_("unblock the PIN using a Reset Code") },
{ "factory-reset", cmdFACTORYRESET, 1, N_("destroy all keys and data")},
{ "kdf-setup", cmdKDFSETUP, 1, N_("setup KDF for PIN authentication")},
+ { "key-attr", cmdKEYATTR, 1, N_("change the key attribute")},
/* Note, that we do not announce these command yet. */
{ "privatedo", cmdPRIVATEDO, 0, NULL },
{ "readcert", cmdREADCERT, 0, NULL },
@@ -2411,6 +2406,10 @@ card_edit (ctrl_t ctrl, strlist_t commands)
kdf_setup ();
break;
+ case cmdKEYATTR:
+ key_attr ();
+ break;
+
case cmdQUIT:
goto leave;
commit 29692718768c28c524be6306081ab1852e75fe07
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Fri Mar 30 09:59:09 2018 +0900
scd: Support changing key attribute back to RSA.
* scd/app-openpgp.c (change_rsa_keyattr): Try usual RSA.
--
In the OpenPGP card specification, there are multiple options to
support RSA (having P and Q or not, etc.), and it is implementation
dependent. Since GnuPG doesn't have knowledge which card
implementation support which option and there is no way (yet) for card
to express itself which key attributes are supported, we haven't
supported key attribute change back to RSA. But, many card
implementation uses P and Q, try this option. If other cases,
factory-reset would be easier option.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index e0c9d59..7bbec03 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -3208,21 +3208,33 @@ change_rsa_keyattr (app_t app, int keyno, unsigned int nbits,
relptr = get_one_do (app, 0xC1+keyno, &buf, &buflen, NULL);
if (!relptr)
err = gpg_error (GPG_ERR_CARD);
- else if (buflen < 6 || buf[0] != PUBKEY_ALGO_RSA)
+ else if (buflen < 6)
{
- /* Attriutes too short or not an RSA key. */
+ /* Attributes too short. */
xfree (relptr);
err = gpg_error (GPG_ERR_CARD);
}
else
{
- /* We only change n_bits and don't touch anything else. Before we
- do so, we round up NBITS to a sensible way in the same way as
- gpg's key generation does it. This may help to sort out problems
- with a few bits too short keys. */
+ /* If key attribute was RSA, we only change n_bits and don't
+ touch anything else. Before we do so, we round up NBITS to a
+ sensible way in the same way as gpg's key generation does it.
+ This may help to sort out problems with a few bits too short
+ keys. */
nbits = ((nbits + 31) / 32) * 32;
buf[1] = (nbits >> 8);
buf[2] = nbits;
+
+ /* If it was not RSA, we need to fill other parts. */
+ if (buf[0] != PUBKEY_ALGO_RSA)
+ {
+ buf[0] = PUBKEY_ALGO_RSA;
+ buf[3] = 0;
+ buf[4] = 32;
+ buf[5] = 0;
+ buflen = 6;
+ }
+
err = change_keyattr (app, keyno, buf, buflen, pincb, pincb_arg);
xfree (relptr);
}
-----------------------------------------------------------------------
Summary of changes:
g10/card-util.c | 105 +++++++++++++++++++++++++++---------------------------
scd/app-openpgp.c | 24 +++++++++----
2 files changed, 70 insertions(+), 59 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list